Researchers Boot Million Linux Kernels to Help Botnet Research

Scientists at Sandia National Laboratories have demonstrated the ability to run more than 1 million Linux kernels as virtual machines, an effort they say will ultimately help researchers analyzing massive botnets.

Scientists at Sandia National Laboratories are harnessing more than a
million Linux kernels as virtual machines as part of an effort to aid researchers
to better analyze botnet behavior.
According to Sandia, which serves as an R&D arm for the Department of
Energy, the project will allow security researchers to observe behavior
found in botnets
operating on the scale of a million nodes.

"Botnets, said Sandia's Ron Minnich, are often difficult to analyze
since they are geographically spread all over the world," said a Sandia statement
July 28. "Running a high volume of VMs on one supercomputer-at a similar
scale as a botnet-would allow cyber-researchers to watch
how botnets work" and experiment with ways to stop them.

"We can get control at a level we never had before," said Minnich,
a computer scientist.
The research comes at a time when the botnet
threat continues to grow. A list of the biggest spam botnets plaguing users
today would include some names familiar to researchers, like Cutwail
and Rustock. Earlier in 2009, researchers estimated that the Conficker botnet
at its height controlled millions of compromised Windows PCs.
In the past, the Sandia statement cited Minnich as saying, "researchers
had only been able to run up to 20,000 kernels concurrently." To make
the project a reality, Sandia used a "4,480-node Dell high-performance
computer cluster, known as Thunderbird. To arrive at the 1 million Linux kernel
figure, Sandia's researchers ran one kernel in each of 250 VMs and coupled
those with the 4,480 physical machines on Thunderbird."
According to the statement: "The more kernels that can be run at once
... the more effective cyber-security professionals can be in combating the
global botnet problem."
Minnich said, "Eventually, we would like to be able to emulate the
computer network of a small nation, or even one as large as the United
States, in order to 'virtualize' and monitor
a cyber-attack."